The value of X.509 private/public key authentication is well known to security professionals, but it can be less intuitive to the security novice.In simple terms the X.509 authentication provides an algorithmically proven method for end-users (clients) to confirm that they are communicating with legitimate servers and not attacker sites (See Figure 1). The recent DNS flaw Dan Kaminsky, a well respected security industry expert, made known to the IT world via bug fixes by Cisco, Microsoft and others, makes this type of “left hand side” or client authentication more relevant than ever.

Figure 1- Clients are vulnerable to attacks that lure them to illegitimate sites instead of the target (destination) site.

An X.509 v3 public/private key pair allows an enterprise to utilize “bi-lateral” (client server) authentication.In this matter, the client confirms the legitimacy of the server, before passing important credentials e.g. account password or transactions like asignature orfinancial activity.It is exactly this type of bi-lateral authentication that nullifies DNS attacks like the one recently reported.

So why are more enterprises not utilizing X.509 authentication?

(2) Main reasons:

Cost

Complexity

Security personnel have been aware of X.509 bi-lateral authentication since the 90’s. However, cost has prohibited its widespread use (See Figure 2).

Figure 2- The complexity of a “classic” X.509 infrastructure is too daunting for most enterprises

A key to SecureAuth is its ability to utilize the enterprise native data store, allowing it to avoid a costly and insecure replication of data. SecureAuth’s authentication server connects directly to the enterprise's existing data store to create X.509 certificates that map directly to data in the local store(See Figure 3).

The Enterprise is delivered a unique identifier that allows them to securely utilize MultiFactor’s hosted web services. In addition, certificates granted from the web services are embedded with identifiers that are uniquely registered to that enterprise. The identifier is stored in the end-user’s private certificate, in the “OU” field (See Figure 4).

Figure 4- The enterprises is assigned a unique OU that is utilized in both certificate delivery and validation, only enterprise-unique certificates are validated.

This unique ability to issue and validate certificates for an enterprise, without the enterprise ever hosting a certificate server, makes SecureAuth® powerful.SecureAuth® can be deployed in a days which makes it a deployment-must for the enterprise needing a secure solution for their application and network needs.

--Garret Grajek is the COO and a co-founder of MultiFactor Corporation. He is a certified security engineer who has deployed 100s of security solutions while working for RSA, IBM, Cisco and others.